Project

General

Profile

Bug #4719

IKEv2 to Cisco ASA results in TS mismatch when initiation triggered by traffic

Added by Chris Buechler almost 4 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Normal
Category:
IPsec
Target version:
Start date:
05/20/2015
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.2.x
Affected Architecture:

Description

IKEv2 to Cisco ASA won't come up when initiation is triggered by traffic matching the P2. It results in the following on the ASA.

Local:172.27.44.49:500 Remote:172.27.44.26:500 Username:172.27.44.26 IKEv2 Tunnel rejected: Crypto Map Policy not found for remote traffic selector 192.168.152.0/192.168.152.255/0/65535/0 local traffic selector 192.168.25.0/192.168.25.255/0/65535/0!

But if you run 'ipsec up con1', it comes up and works fine. It also rekeys fine on its own.

Associated revisions

Revision 4225416f (diff)
Added by Chris Buechler about 3 years ago

Always set ignore_acquire_ts = yes. No need for that in any of our use cases, and it fixes problems like Ticket #4719.

History

#1 Updated by Chris Buechler almost 4 years ago

  • Assignee set to Chris Buechler
  • Target version changed from 2.2.3 to 2.3

this is still replicable as described, but only with ASAs, and only as initiator when triggered by traffic. Manually connecting it is fine, it's fine if it's responder, it rekeys no problem indefinitely. Google GCE cloud VPNs, various strongswan versions on Linux all fine. openiked doesn't work with PSK apparently so not an exactly comparable test with certs, but it works too. Will revisit.

#2 Updated by Jim Thompson over 3 years ago

can you retry this with a recent version of strongswan?

#3 Updated by Jim Thompson over 3 years ago

  • Priority changed from Very High to Normal

I'm turning this down to "Normal". It can't be "Very High" if we've released N times in the past 5 months.

#4 Updated by Chris Buechler over 3 years ago

  • File asa-failed.pcap added
  • File asa-works.pcap added
  • File asa-failed.txt added
  • File asa-works.txt added
  • Affected Version changed from 2.2.2 to 2.2.x

Still the same issue with latest strongswan. Attaching some ASA logs and pcaps. I'll give Linux a shot again to compare.

#5 Updated by Jim Thompson over 3 years ago

Bump to see if linux testing revealed anything.

#6 Updated by Chris Buechler about 3 years ago

  • Target version deleted (2.3)

details of what's happening here:
https://wiki.strongswan.org/issues/1313

#7 Updated by Chris Buechler about 3 years ago

  • File deleted (asa-failed.pcap)

#8 Updated by Chris Buechler about 3 years ago

  • File deleted (asa-works.pcap)

#9 Updated by Chris Buechler about 3 years ago

  • File deleted (asa-failed.txt)

#10 Updated by Chris Buechler about 3 years ago

  • File deleted (asa-works.txt)

#11 Updated by Chris Buechler about 3 years ago

  • Description updated (diff)

#12 Updated by Jim Thompson about 3 years ago

"Affected version is 2.2.2 and 2.2.3."

Does this not affect 2.3?

#13 Updated by Chris Buechler about 3 years ago

Jim Thompson wrote:

"Affected version is 2.2.2 and 2.2.3."

Does this not affect 2.3?

I removed that from the original description as that didn't seem to be true, every version with strongswan does the same here including 2.3.

#14 Updated by Chris Buechler about 3 years ago

  • Status changed from Confirmed to Resolved
  • Target version set to 2.3

fixed, thanks to Tobias Brunner on the strongswan ticket for pointing out a charon config option I missed.

Also available in: Atom PDF